Publishing a project on Maven Central

In this two-parts article, I will explain how to publish a Gradle based project on Maven Central using the new maven-publish plugin.

This article is the first of a two-parts article. This one will focus on how to import a project on Maven Central regardless of the Build Automation System you’re using. The second article you can found here explain how to create a build.gradle file using the new maven-publish plugin to create, sign and publish your artifacts on Maven Central.

The logo of Sonatype, the company which handle the Maven Central Repository

Background

Recently I had to add a library (schemaorg-java libray) to one of my personal project that was built using Maven. Unfortunately, the schemaorg-java library wasn’t on Maven Central so I decided to fork it and to publish it.

Create a Jira Account and a Ticket for your Group Id

The first step is pretty simple, you have to create a Sonatype Jira account here. Next, create a ticket here to ask for a group id (that you will use in your pom.xml). Notice the policies concerning the group id you choose. In particular, if you are a github username, you can choose something like com.github.username or io.github.username (in my case I choose com.github.mautini).

After you complete this step, wait until you ticket is marked as resolved. It can take several hours as it’s a manual process. Don’t deploy your artifacts before its done.

Create a GPG Key and Sign your Artifacts

Maven Central requires that you sign all your artifacts and your pom.xml files with a GPG Key. You can generate this key with GnuPG using the command line tool:

gpg --gen-key

Answer the questions (Name, Mail) and set a passphrase if you want.

If you are a mac user, you can use the GPG Tools to create your key. It offers a neat interface for it.

If the gpg commands hang during the generation of the key, it can be due to a lack of entropy on your computer. Try to move your mouse or tap on your keyboard to generate it.

For signing your pom.xml and artifacts, you’ll need 3 things from your key:

• Its short ID (6 hexadecimals characters): You can get it with the command gpg --list-keys.
• Its passphrase (if you set any): You must know it as you provide it during the generation of the key.
• The file containing the private key: gpg stores by default this file in the (hidden) folder ~/.gnupg. If you don’t find it, you can use the command gpg --export-secret-keys -a <keyID> > secret.gpg with <keyID>, the short ID of your key.

Update your Pom and Publish your Artifacts

Now that you have your account on Sonatype and the key to sign your artifacts. You can edit your pom to add the requirements for Maven Central. In particular, provide the following information:

• groupId (the same as when you register on Jira)
• artifactId
• version
• project name, description and url
• licence for your project
• information about developers
• information about your Source Control Manager

If you are deploying using a Maven build, you can directly set this values in your pom.xml. In case you use a Gradle build to publish, we’ll see in the part 2 of this tutorial how to set this values in your build.gradle.

Here is the resulting pom.xml file from the project I published (generated via a Gradle build).

Depending on your build system you can now sign your artifacts and your pom.xml to prepare for publishing

This tutorial will not cover the signing with Maven as they are plenty of tutorial that explain how to do that. The signing with Gradle will be cover in the second part of this article.

Release your library and check if everything is OK

After you publish your library, log in to Sonatype Nexus Repository Manager with the same credentials as your Jira account and browse to Staging Repository. If your upload succeed, you’ll find your library at the bottom of the list. Here you can check the content of the upload. When it’s done, click the Close button in the bar above the list, this will trigger a set of analysis on your delivery. This can take some minutes to complete (if the interface doesn’t refresh, force the refresh in your browser) and you’ll get the result:

• The tests failed: You can check which test failed, use the Drop button to delete your upload, fix the problem(s) and republish your library.
• The tests succeeds: Congratulations! You can now click the Release button. If it’s your first upload, you have to mention it in commentary of the Jira ticket you opened in the first step. You can then find your artifact in the Maven Central Repository within 10 minutes and on Maven Central Search within 2 hours.

Tests results for my project, here everything is ok. I can now click on the release button

Resources

• OSSRH Guide: The official guide for the Central Repository
• Generating a new GPG key: Github Tutorial on how to generate a GPG Key
• Requirements: The list of requirements from Sonatype for releasing your project on Maven Central

Closing Thoughts

I hope this first article was useful for you and you enjoyed reading it. Don’t hesitate to comment and to give me some feedback. You can also read the second part of this article here.